A Demo of and Preventing XSS in.NET Applications.

Slides:

Advertisements

Similar presentations

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

Advertisements

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

SEC835 OWASP Top Ten Project.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011.

OWASP Mobile Top 10 Why They Matter and What We Can Do

Workshop 3 Web Application Security Li Weichao March

OWASP Zed Attack Proxy Project Lead

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Security Management prepared by Dean Hipwell, CISSP

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.

OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Snakes and Ladders OWASP Newcastle 24 th November 2015.

Deconstructing API Security

Securing Java Applications

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

Ken De Souza KWSQA, April 2016 V. 1.0

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Web Application Security

Web Application Vulnerabilities

An Introduction to Web Application Security

Security Autodesk DevDays rEvolution

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Securing Your Web Application in Azure with a WAF

Vulnerability Chaining Every Low Issue Has its big impact

Penetration Testing following OWASP

Finding and Fighting the Causes of Insecure Applications

1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Finding and Fighting the Causes of Insecure Applications

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Presentation transcript:

A Demo of and Preventing XSS in.NET Applications

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

OWASP Top Ten 1Injection 2Broken Authentication and Session Management 3Cross-Site Scripting (XSS) Insecure Direct Object References 5Security Misconfiguration

OWASP Top Ten 6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known Vulnerabilities 10 Invalidated Redirects and Forwards

Injection SQL & XSS Cross-Site Scripting Information Leakage Principle of Least Privilege

The Two top vulnerabilities both have the same vulnerability. Programmer does not make a distinction between code and data.

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

XSS – What it is. – Types of XSS

How To Mitigate Validate and constrain input Properly encode output Microsoft Anti-Cross Site Scripting Library

OWASP AntiSamy.NET What about Server.HTMLEncode? Uses blacklist for exclusion Less secure

Regex Home Grown approach

Goldilocks Problem. – Scrub Data to little. – Scrub Data just right. – Scrub Data to Hard.

Demo XSS And if time permits SQL Injection

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

Pros… – Validate Input / Encode Output (Anti-XSS library) – Helps with sql injection and XSS – Adds another level of defense – Used by Microsoft as an internal tool

Cons… – Its not perfect and it should not be our only defense layer – Microsoft doesn’t update as often as it should. – We do have an open source Alternative (OWASP AntiSamy.Net)

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

Demo AntiSamy

Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.Net

Cat.NET Demo

Resources

About Me Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma. My current emphasis is in Microsoft.NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to.NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL) My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0. – INFOSEC Certificate Program at University of Tulsa – ISC(2) CISSP Certification – Committee on Nation Security Systems Certificates. NSTISSI No. 4011: – Information Systems Security Professional, 4012: